It seems that we live in a world driven by buzzwords, particularly when it comes to technology. Whatever the press or analysts say is the next big thing, we feel obligated to pay attention and figure out a way to make it part of our day-to-day operations. A few years back the buzzword-of-the-moment was compliance and everything we did was colored by the impact it would have on compliance. Once compliance became yesterday’s news, the next big thing was governance and now if we don’t deal with governance we’ve missed the boat.

So what is governance and do we really need to worry about it?

In a new eBook I’ve written called Governance the Elusive Last Mile of IAM,I define governance as the process of ensuring that access is correct and auditable and that it follows the rules. So by that definition governance is absolutely necessary, but that doesn’t make it any easier to achieve.

So governance is really just making sure that the things that are required to give users access to computer resources and data (namely authentication, authorization, and identity administration) are done according to the rules … or are simply done “right”

There are a number of reasons that governance can be such a challenge:

Risk is everywhere – internal, external, malicious, and unintended

Security is often executed in silos which results in inconsistency and weak points

The key activity of governance – attestation – is often based on guesswork, which is entirely unacceptable

The fundamental task of any IAM initiative – provisioning – can make or break any efforts to achieve governance